CIOInsider India Magazine
Cybersecurity In E-Commerce: Safeguarding Customers' Data
With a decade’s experience in intrusion analytics, Shomiron is engrossed in developing threat detection systems and serving renowned personalities from finance, telecom, media and e-commerce.
The e-Commerce space has undergone massive transformations since its inception to reach where it is today. Come to think of it, if you’re old enough to have lived life before eCommerce, you’d remember how entering credit card details online used to be an absolute turn-off for most of us. Cut to today, and people no longer think twice before saving their card details online for more convenience.
Technology has made life a lot easier for us, or so it seems. But if you happen to look closely, this socalled ease has in fact opened-up an entire ecosystem for cybercriminals to thrive in. Saving payment information makes e-Commerce platforms vulnerable to a wide range of ever-evolving cyber threats that could literally wreak havoc. For example, cybercriminals can gain access to sensitive customer data and use it to make illegal purchases or sell the data on the dark web. ECommerce business owners need to be wary of the immense risks they may be unwittingly subjecting their customers to and take some basic precautionary steps to keep such risks at bay.
How e-Commerce Businesses can Secure Sensitive Sata
While cybercriminals seem to add a brand new threat to their arsenal every passing minute, there are of course best practices and techniques an e-Commerce business can take-up to prevent major mishaps. Here’s a few:
Implementation of Best Practice: To shield the e-Commerce business from cyberattacks, the security of the web servers is of paramount importance. The web servers are most prone to attacks since they house sensitive data. Along with securing the web servers, the need for safeguarding the web application and web network is equally important. The company is still prone to attacks if the web applications are secured, but the web servers are not. Following are the practices which companies should take-up to strengthen the security of web servers:
I. Removal of Unnecessary Services: Default installations and configurations come with multiple network services which are rarely used in web servers. Unnecessary network services kept open in the operating system keep more ports open, which paves an easy path for the malicious users to abuse. It is advised to always disable all the unnecessary network services and speeds-up the server performance.
II. Securing the Remote Access: It is advised that server administrators should always connect to corporate servers locally over public wireless network or public devices. If connecting using remote access, it is important to secure the connection using tunneling and encryption protocols. Use of security tokens and single sign-on equipment are good practices to shield the web servers. The access of remote servers should be restricted to a few accounts or IPs.
III. Isolated Testing of Web Applications: The web application developers need to develop specific internal applications that give access to the web application, databases and other web server resources only to the web developers. After a web application is developed, the company should ensure that its testing is not done on the production server. Since the web application is still at its primitive stage, its testing on the production server makes it visible to the cyber abuser and gives them easy access. It is ideal to develop and test the web servers offline.
It Is Advised That Server Administrators Should Always Connect To Corporate Servers Locally Over Public Wireless Network Or Public Devices
IV. Maintaining a Separate Drive: The website files and scripts should be saved in a different drive. Once hackers get access to the web root directory, they can easily cause data breaches and exploit other vulnerabilities, resulting in corruption of the operating system and other system files.
V. Permission & Privileges: If a cybercriminal gains access to a web service engine, they can execute certain files; so it is important to give minimum privileges to the web server software.
Website Hardening & Additional Security: Website hardening, also known as defense in depth, means adding layers of security to make it less prone to website attacks. The following points should be kept in mind for website hardening:
i. Allow public access to only public areas of applicatons which can be accomplished by web application firewalls.
ii. Use input sanitizing techniques to specify what kind of data you expect from the user.
iii. Using multi-factor authentication.
iv. Reverse Proxy: The proxy server acts as middleman to the original server once it receives a request from web users. It prevents the direct interaction of the origin server to the client. The proxy server sits in front of the origin server to protect its identity online and to block access to certain content. It can also help in balancing the load of incoming website traffic and can evade crashing.
1. Selecting the Best Payment Gateway & Service Provider: Use of integrated payment gateway needs to have a merchant account. A merchant account is a secure bank account that allows the e-tailer to receive credit card payments directly. Apart from this, it is important to select a payment service provider who has a reputed name does not have outage problems and can offer the package that suits the e-tailer’s requirements such as hosting secure pages on the PSP server or even providing IMAs.
2. Custom Encryption: It is necessary for the eCommerce business to secure their data with a feature called SQL Transparent Data Encryption. This security bypasses the hacker who wants to gain access to the database. Low level data encryption solutions which are a one click fix never secures the data.
3. Vulnerability Module & Penetration Testing: An e-Commerce website has major important functions such as order management, coupon & reward management, payment gateway integration, and content management. These functions are distinctive in nature and hence, each of these functions should undergo regular security checks to detect the anomalies present and evade the attacks.
Establishing trust over the internet is a tough job, especially for e-Commerce businesses. Even a minor cyberattack may discourage customers from conducting transactions on the site for good. Therefore, it is imperative for e-Commerce businesses to look at cybersecurity as a long-term business investment instead of as an additional cost. After all, customer satisfaction is what matters the most at the end of the day!
